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DETAILED ACTION 

Claims 2-4, 6-19, 21-33, 35-44, 47-49 are pending. Claims 48 and 49 are new. Claims 
2, 6, 7, and 35 are amended. 

Continued Examination Under 37 CFR 1.114 
A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
01/29/2009 has been entered. 

Response to Arguments 

Applicant's arguments filed 01/29/2009 have been fully considered but they are 
not persuasive. 

Examiner respectfully disagrees with applicant's statement that neither of the 
references teach or suggest dynamic software verification. Applicant's placed emphasis 
on the use of the term "currently being executed", however, the phrase is not found 
within the claim language. Emulate in computer science as defined by dictionary.com is 
to imitate the function of, as by modifications to hardware or software that allow the 
imitating system to accept the same data, execute the same programs, and achieve the 
same results as the imitated system. The imitated system of the Nachenberg reference 
is a clone of the original system. Therefore the instructions are being emulated or in 
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other words, are being executed and scanned. Since Nachenberg shows the ability to 
fetch multiple instructions in figures 4A and 4B thus making a series of instructions. 

In response to applicant's arguments against the references individually, one 
cannot show nonobviousness by attacking references individually where the rejections 
are based on combinations of references. See In re Keller, 642 F.2d 413, 208 
USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091 , 231 USPQ 375 (Fed. Cir. 
1986). 

Claim Objections 

Claim 7 is objected to because of the following informalities: the amendment 
adds an additional "the" making the claim language read "the the". Appropriate 
correction is required. 

Claim Rejections - 35 USC § 103 

Claims 2-4, 6-19, 21-28, 30-32, and 35-44 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Nachenberg (US 5,826,013, hereinafter '013) in view of 
Nachenberg (US 6,021,510, hereinafter '510). 

Regarding claims 2 and 35: 

013 discloses a method for verifying computer instructions in a computer that 
includes at least one processor that executes instructions stored in a memory, the 
memory being organized into separately addressable memory blocks, the method 
comprising: 

identifying a next instruction of a series of instructions to be executed when 
executing a series of instructions [figure 4A, 424, fetch instruction]; 
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for the next instruction, and during the executing of the series of instructions, 
determining an identifying value for a memory block that contains the next instruction 
[figure 4B, 468, three bytes match?- 474, viral signature match]; 

determining, during executing of the series of instructions whether the identifying 
value satisfies a validation condition, wherein the determining as to whether the 
identifying value satisfies the validation condition requires comparing the identifying 
value of the memory block with a set of reference values [figure 4B, viral signature 
match is determined from a list of stored reference values]; 

allowing execution of the next instruction by the processor when the identifying 
value satisfies the validation condition [figure 4B, 484, file is uninfected is the validation 
condition; it is inherent to that a file is allowed to execute after being deemed virus-free]; 
and 

013 does not disclose generating a protective response when the identifying 
value does not satisfy the validation condition. 510 discloses notifying the user when a 
virus is detected [column 4 lines 54-63\. All the claimed elements were known in the 
prior art at the time of invention and it would have been obvious to one of ordinary skill 
in the art to modify the method of 013 with the notification to the user and checking to 
see if a file has been modified [figure 3] as disclosed by 510 by known methods with no 
change in their respective functions, and the combination would have yielded 
predictable results to one of ordinary skill in the art at the time of invention. 

Regarding claims 3 and 36: 
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013 and 510 disclose the method of claim 2, wherein the validation condition is 
that the identifying value of the memory block matches any reference value in the set of 
reference values [510; column 4 lines 48-53, the old hash value corresponds to the new 
hash value]. 

Regarding claims 4 and 37: 

013 and 510 disclose the method of claim 2, wherein the validation condition Is 
that the identifying value of the memory block differs from each reference value in the 
set of reference values [013; 474, viral signature match determines if the hash value of 
the instruction is different than all of the reference values]. 

Regarding claims 6, 39, 48, and 49: 

013 discloses a method for verifying computer instructions in a computer that 
includes at least one processor that executes instructions stored in memory, the 
memory being organized into separately addressable memory blocks, the method 

comprising: 

identifying a current instruction to be executed when executing a series of 
instructions, the current instruction being one of the series of instructions being 
executed Identified for submission to the processor for execution and not yet executed 
at a time of the identifying [figure 4A, 424; the instructions of the file; column 2 lines 51- 
67]; 

for at least the current instruction that has been identified for submission to the 
processor for execution, computing a hash value as a function of a sub-set of contents 
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of a current memory block that contains the current instruction [figure 4A, 424, fetch 
instruction; figure 4B, 468, tliree bytes match?- 474, viral signature match]; 

determining, during executing of the series of instructions, whether the hash 
value satisfies a validation condition by comparing the hash value of the current 
memory block with a set of reference values [figure 4B, viral signature match is 
determined from a list of stored reference values]; 

if the hash value satisfies the validation condition, allowing continued execution 
of series of instructions [figure 4B, 484, file is uninfected is the validation condition; it is 
inherent to that a file is allowed to execute after being deemed virus-free]; 

wherein the computing of the hash value comprises applying a mask to the 
current memory block, the mask being a data structure that designates at least one byte 
of the current memory block to be ignored in the computing of the hash value, the data 
structure designating less than an entire memory block so that the hash value is based 
on only part of the contents of the current memory block [column 12 lines 20-30, the 
selected page locations are scanned and the non-selected ones are ignored]. 

013 does not disclose hash values as reference values and generating a 
protective response when the identifying value does not satisfy the validation condition. 
510 discloses notifying the user when a virus is detected [column 4 lines 54-63]. All the 
claimed elements were known in the prior art at the time of invention and it would have 
been obvious to one of ordinary skill in the art to modify the method of 01 3 with the 
notification to the user and checking to see if a file has been modified [figure 3] as 
disclosed by 510 by known methods with no change in their respective functions, and 
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the combination would have yielded predictable results to one of ordinary skill in the art 
at the time of invention. 
Regarding claim 7: 

013 and 510 disclose the method of claim 6, further comprising: 

identifying, an indeterminate portion of the current memory block, the 
indeterminate portion being non-indicative of validity of the current memory block as a 
whole [073, figure 5, checks for register modifications]; and 

configuring the mask so that the mask designates at least the indeterminate 
portion to be ignored when generating the hash value [013, figure 5, 512, exclude all 
viruses that cannot perform memory write with non-initialized index register]. 

Regarding claims 8 and 41 : 

013 and 510 disclose the method of claim 2, further comprising: 

for each of the separately addressable memory blocks, indicating in a structure 
whether the memory block is valid [510, column 3 lines 46-54, register means includes 
hardware, software, and/or firmware registers, stacks, flags, automata, indication bits, 
etc.; a stack is a structure]; 

accessing the structure to determine whether the memory block is valid prior to 
the determining of the identifying value [013, column 11 lines 60-65, any affected 
portion is tagged]; and 

performing the determining of the identifying value when the structure does not 
indicate that the memory block is valid and directly allowing execution of the next 
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instruction wlien tlie structure indicates that the nnemory block is valid [013, column 12 
lines 8-19, flagged items are scanned]. 
Regarding claims 9 and 42: 

013 and 510 disclose the method of claim 8, wherein the structure comprises a 
group of hardware attribute indicators, and wherein the indicating in the structure 
whether the plurality of memory blocks is validated comprises setting one of the 
hardware attribute indicators, the one hardware attribute indicator corresponding to the 
memory block [510, column 3 lines 46-54, register means includes hardware, software, 
and/or firmware registers, stacks, flags, automata, indication bits, etc.]. 

Regarding claims 10 and 43: 

013 and 510 disclose the method as in claim 9, in which the hardware attribute 
indicators are execute and write permission attributes associated with an entry in a 

translation lookaside buffer [510, column 3 lines 46-54, register means includes 
hardware, software, and/or firmware registers, stacks, flags, automata, indication bits, 
etc.]. 

Regarding claims 1 1 and 44: 

013 and 510 disclose the method of claim 8, wherein the structure comprises a 
software data structure, and wherein the indicating in the structure whether the plurality 
of memory blocks is validated comprises making a corresponding entry in the software 
data structure [510, column 3 lines 46-54, register means includes hardware, software, 
and/or firmware registers, stacks, flags, automata, indication bits, etc.; a stack is a 
structure]. 
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Regarding claim 12: 

013 and 510 disclose the method of claim 8, the determining of the identifying 
value for the memory block and the determining of whether the identifying value 
satisfies the validation condition are performed only when the structure does not 
indicate that the memory block is valid, the method further comprising: 

modifying the structure so that the memory block is not indicated as being valid 
when the identifying value satisfies the validation condition [510; column 3 line 58- 
column 4 line 64, the current sector matches a validation condition (matches the 
reference value) then it rescans the file for viruses; it is inherent to mark the file as virus- 
free or contaminated]. 

Regarding claim 13: 

013 and 510 disclose the method of claim 12, further comprising: 
sensing modification of one of the memory blocks that the structure indicates is 
valid and, in response to the modification, setting its indication in the structure to 
indicate that the memory block is not valid [013; figure 5, 502-512]. 
Regarding claim 14: 

01 3 and 51 0 disclose the method of claim 8, but does not disclose the method 
further comprising: 

determining a branch history for the next instruction; and 

checking whether the memory blocks in which instructions in the branch history 
are located are valid, the validation condition including the requirement that each 
checked memory block in the branch history is valid. 
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Examiner takes official notice that branch prediction is well known in the art at the 
time of invention. All the claimed elements were known and it would have been obvious 
to one or ordinary skill in the art to combine the elements by known methods with no 
change in their respective functions, and the combination would have yielded 
predictable results to one of ordinary skill in the art at the time of invention. 

Regarding claim 15: 

013 and 510 disclose the method of claim 2, wherein the determining of the 
identifying value and the determining as to whether the validation condition has been 

satisfied are performed only after a triggering event occurs [it is inlierent tliat a file be 
checked after the occurrence of a triggering event whether by a user, a time-based 
trigger, an active trigger, etc.]. 
Regarding claim 16: 

01 3 and 51 0 disclose the method of claim 1 5, wherein the triggering event Is 
writing of at least one new unit of code or data to any physical component within the 
computer [510, column 3 lines 35-36, the file changed thus causing a new unit of data]. 

Regarding claim 17: 

013 and 510 disclose the method of claim 15, but does not disclose In which the 
triggering event Is an attempted execution of any instruction located on any unverified 
memory block. Examiner takes official notice that dynamically scanning a program as It 
is being opened or executed is known. It would have been obvious to one of ordinary 
skill in the art at the time of invention to modify the method of Nachenberg to scan a 
program in order to ensure the integrity of an executable program while it is running or 



Application/Control Number: 1 0/791 ,602 Page 1 1 

Art Unit: 2439 

to detect infections between a programs integrity check and execution [A Generic Virus 
Scanner in C++, page 6, section 2.5] 
Regarding claim 18: 

013 and 510 disclose the method of claim 15, wherein the triggering event is an 

attempted execution of any instruction located on any unverified memory blocl< of newly 
installed software [510, column 3 lines 26-40, the newly installed software would be 
scanned on the fact that it is being examined for the first time]. 
Regarding claim 19: 

013 and 510 disclose the method of claim 15, further comprising triggering the 
verification of the computer instructions depending on an identity of a user of the 
computer, the user having caused the next instruction to be identified for execution [it is 
inherent that a computer OS has a method for access control based on the user of the 
system in that the program will not load if the user does not have permission to run if\. 

Regarding claim 21 : 

013 and 510 disclose the method of claim 15, further comprising triggering 
dynamic verification depending on a context in which the next instruction is submitted 
for execution, wherein the context is a level of security clearance associated with the 
computer, a user of the computer, or a program of which the next instruction is a part [it 
is inherent that a computer OS has a method for access control based on the user of 
the system in that the program will not load if the user does not have permission to run 
if\. 

Regarding claim 22: 
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013 and 510 disclose tlie metlnod of claim 2, wherein the identifying of the next 
instruction is performed for only a sample of the series of instructions [510, figure 1 
shows the file is divided into a plurality of sectors and only sectors 1,2,3 and J are 
scanned]. 

Regarding claim 23: 

013 and 510 disclose the method of claim 22, wherein the sample is a time- 
sampled sub-set of the series of instructions [it is inherent that the virus scanner 
disclosed by Nachenberg relies upon some period of time elapsing between samples]. 

Regarding claim 24: 

013 and 510 disclose the method of claim 22, wherein the sample is a 
sequentially sampled sub-set of the series of instructions [510, figure 1 shows the 
sectors 1, 2 and 3; it is inherent that these sectors would be sequentially sampled]. 

Regarding claim 25: 

013 and 510 disclose the method of claim 22, wherein the sample is a sub-set of 
the series of instructions sampled spatially, the sampling being over a range of memory 
block identifiers [510, figure 1 shows the sectors 1, 2, 3 are a set size and spatially 

sampled]. 

Regarding claim 26: 

013 and 510 disclose the method of claim 2, but does not disclose wherein the 
response comprises termination of a software entity with which the current memory 
block is associated. Examiner takes official notice that suspending or cancelling a 
current software's execution when a virus has been detected was well known in the art 
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at the time of invention. All the claimed elements were known in the prior art and it 
would have been obvious to one skilled in the art to combine the elements as claimed 
by known methods with no change in their respective functions, and the combination 
would have yielded predictable results to one of ordinary skill in the art at the time of 
invention. 

Regarding claim 27: 

013 and 510 disclose the method of claim 2, wherein the response comprises 
suspension of execution of a software entity with which the current memory block is 
associated. Examiner takes official notice that suspending or cancelling a current 
software's execution when a virus has been detected was well known in the art at the 
time of invention. All the claimed elements were known in the prior art and it would 
have been obvious to one skilled in the art to combine the elements as claimed by 
known methods with no change in their respective functions, and the combination would 
have yielded predictable results to one of ordinary skill in the art at the time of invention. 

Regarding claim 28: 

013 and 510 disclose the method of claim 2, wherein the response comprises a 
message posted to a user, system administrator, or other predetermined recipient [510, 
column 4 lines 48-63, sends a message to the user to via the interface]. 

Regarding claim 30: 

013 and 510 disclose the method of claim 2, wherein: the computer includes a 
virtual machine running on an underlying hardware platform via an intermediate 
software layer; and the response includes checkpointing the state of the virtual machine 
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[013, column 3 line 6-18, the CPU emulator is a virtual machine that tricks the virus into 
thinking it is being run on the CPU\. 
Regarding claim 31 : 

013 and 510 disclose the method of claim 2, wherein the response is a first 
possible response, the method further comprising: associating the first possible 
response with the memory block; associating a second possible response with a 
different memory block; upon detection of failure of the next instruction to satisfy the 
validation condition, identifying which one of the possible responses is associated with 
the memory block, and generating the one possible response associated with the 
memory block in which the next instruction is located [510, column 4 lines, 
determination is sent to the user, it is inherent that the determination will be different for 
different memory]. 

Regarding claim 32: 

013 and 510 disclose the method of claim 2, further comprising: associating 
reference values from the set of reference values with respective programs such that 
each association signifies that the reference value corresponds to a memory block 
storing instructions for one of the programs; and tracking which of the respective 
programs is being executed and the association between the matching reference value 
and the corresponding one of the programs [510, column 1 lines 27-36, a hash value is 
associated with a program/file]. 
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Claims 29, 33, 46, and 47 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over 013 and 510 as applied to claims 2 and 35 above, and further in view 
of SimOS. 

013 and 510 disclose the method of claim 2, wherein: 

the computer Includes a virtual machine running in a direct execution mode on an 
underlying hardware platform via an intermediate software layer [013, column 3 lines 6- 
16, the CPU emulator is a virtual machine that tricks the virus into thinking it is being run 
on the CPU], but does not disclose the response comprises a switching of an execution 
mode of the virtual machine from the direct execution mode to a binary translation 
mode. SimOS discloses the ability to switch between direct execution and binary 
translation modes [page 40, Switching simulators and sampling]. It would have been 
obvious to one or ordinary skill in the art at the time of invention to modify the method of 
01 3 and 51 0 to allow switching of modes in order to dynamically generate code 
supports on-the-fly changes of the simulator's level of detail [page 39, column 2 
paragraph 3]. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to JAMES TURCHEN whose telephone number is 
(571 )270-1378. The examiner can normally be reached on MTWRF 7:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 )272-381 1 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

JRT 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



